AppLocker and Services RRS feed

  • Question

  • Hello,

    I'm tring to lock down my background application servers with AppLocker on Windows 2012 R2 servers.  I put AppLocker in "Audit Only" mode to verify my policies.  I see the Event Views "EXE and DLL" events for people RDP and scheduled tasks, but nothing for either Microsoft or home grown services.  

    I looked around and found a technet article with limitations for AppLocker.  The subset of the article below says AppLocker can't monitor a subset of a process.  When I open Process Explorer my home grown services is a subset of services.exe that is a subset of wininit.exe.  So I believe AppLocker will not be able to lock down services, either Microsoft, a third party or a home grown service.

    Anyone have any luck on getting AppLocker to monitor/limit services and if so how?

    "AppLocker can only control VBScript, JScript, .bat files, .cmd files, and Windows PowerShell scripts. It does not control all interpreted code that runs within a host process, for example, Perl scripts and macros. Interpreted code is a form of executable code that runs within a host process. For example, Windows batch files (*.bat) run within the context of the Windows Command Host (cmd.exe). To control interpreted code by using AppLocker, the host process must call AppLocker before it runs the interpreted code, and then enforce the decision returned by AppLocker. Not all host processes call into AppLocker and, therefore, AppLocker cannot control every kind of interpreted code, such as Microsoft Office macros."



    • Edited by dlarke13 Wednesday, March 9, 2016 4:12 PM
    Wednesday, March 9, 2016 3:53 PM